Digital voting fears are grounded in facts
Opinion in the Roanoke Times 04 December 2005
I wanted to comment on two articles I have seen on your Web site, both concerning the WINVote machines specifically and paperless electronic voting in general.
The first, "Voter paper trail might be a blind alley," contains a relatively standard defense of paperless machines from Registrar Randall Wertz, based on security steps the state and localities take against tampering.
All of these steps are useful and necessary, but in the grand scheme they are nothing more than a sugar pill. The software that collects and tallies votes is complex, written to meet poor standards and has a history of failure. We, as computer scientists, know how to write good code it runs our airplanes, our pacemakers and our military equipment but we don't know how to do it on the cheap. Boeing spent $2 billion over five years to write the control software for the 777, and the final product contains less than one-fourth of the total amount of software that runs on your voting machines.
If airplane code were written to the same standards of reliability as voting machines, every day about 10 planes flying out of Baltimore/Washington International would experience a software failure during flight.
Testing can only reveal the presence of problems, not their absence. Otherwise, automakers and other companies would never have to issue a recall; their testing would be sufficient.
Hacking is not the primary threat. Failure due to an honest mistake is, such as the one in the 2004 general election in North Carolina. Election officials carried out all the steps Wertz described, but a single mistake led to the permanent loss of 4,500 votes, throwing two statewide races into disarray for nearly a year.
"I know we'll always have conspiracy theorists," he said. "They're sure the government people are out to get 'em."
Do these "conspiracy theorists" include the Association for Computing Machinery, the largest and most prestigious organization for professional computer scientists? The ACM supports strong development standards combined with a non-electronic (i.e., paper) record of every vote. This position is supported by more than 95 percent of its members: www.myacm.org/opinion/poll.cfm.
Again, honest mistakes have been far more damaging than the bogeyman of "hackers" that election officials mock and use as a strawman argument.
The second article, by Dave Price titled "Voters need not fear the digital age," contains chest-thumping bluster, but few facts. I and the other members of the ACM do not fear the digital age. We just understand the limitations of the technology.
Price wrote, "I have a degree in information systems management, a national certification in computer repair and am fluent in several computer programming languages. The one thing I am sure of is that once you write a program and extensively test it, as Advanced has done, the darn thing works the same way every time."
For this statement alone, his certificates should be revoked. Program correctness depends on how well it was written and if the programmers considered every possible event, along with the correct way to respond. What if someone mashes the screen too hard and holds his finger down? What if the disk is full? Will it tell the voter to come back, or will it just throw his vote away? There are literally millions of "what ifs," and unless the programmers have the correct course of action for each, the machine will fail.
Price asserted that "Without a connection to the Internet, or a place to a floppy disk, they can never be subject to the horrors of identity theft, Trojan horses or e-mail phishing ... ."
This statement would be comforting if it had any basis in reality. Every WINVote machine has a wireless connection that it uses to get ballot layout information and report final results (WIN stands for "Wireless Information Network"). A van parked out of sight of election officials and protective procedures could connect to these machines, or at the very least observe the traffic between them, unnoticed.
Price referred to a summary screen as a way for voters to check accuracy. The machines in Carteret County, N.C., showed that kind of screen, too. Right before they discarded the electronic copy because there was no room on the hard drive, and flashed a message to the voter saying, "Thank you. Your vote has been successfully recorded."
"No identity theft, no Trojan horses, no e-mail phishing, no fraud. I made sure of that," Price wrote.
It's a relief to know he performed a source-code audit and confirmed that the code was written to military standards, checked the audit logs and did a forensic analysis on every machine to ensure that no tampering or errors occurred, and did extensive usability testing to ensure that no voter was confused by the interface on the machine. Perhaps Price could share his techniques with the rest of the computer science community, which has struggled to understand how to do these things in a quick and reliable way for seven decades.
Unless he didn't do all of those things, in which case this final statement is meaningless bluster, akin to kicking a car's tire and assuming it fails to explode declaring it a well-engineered piece of equipment.